UMGC Policy X-1.09

IT Disaster Recovery

Policy Category Policy No. & Title Policy Owner Effective Date Revision Number Revision Eff. Date Review Cycle

X
Information Governance, Security & Technology

X-1.09
IT Disaster Recovery

VP of Information Security

July 1, 2021

N/A

N/A

Every 3 years

  1. Purpose

    The purpose of this Disaster Recovery Policy is to ensure the continuity and recovery of University of Maryland Global Campus ("UMGC" or University) Critical Information Systems in the event of an emergency or disaster.

  2. Scope and Applicability

    This policy applies to all University Information Systems and Information Resources. All Users are responsible for adhering to this policy.

  3. Definitions

    Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

    1. Business Continuity: an ongoing process to ensure that necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services.

    2. Confidential Data: Data that requires restrictions on access and disclosure, including the protection of personal privacy and proprietary information.

    3. Contractor: A person or company that undertakes a contract to provide materials or labor to provide a service.

    4. Critical Information Systems: Inter-related components of Information Resources working together where the loss of confidentiality, integrity, availability, or privacy could be expected to have a severe or catastrophic adverse effect on organization operations, organization assets, or individuals.

    5. Data Steward: The UMGC employees, or designees, who are responsible for determining User access and assigning Data Classifications to data originating from or residing in their respective business units.

    6. Disaster Recovery: The ability to restore the University's critical systems and return the entity to an acceptable operating condition following a catastrophic event, by activating a disaster recovery plan. Disaster Recovery is a subset of business continuity planning

    7. Disaster Recovery Plan (DRP): A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.

    8. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.

    9. File: A collection of Information logically grouped into a single entity and referenced by a unique name, such as file name.

    10. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numeric, graphic, cartographic, narrative, or audiovisual.

    11. Information Resource: Anything that is intended to generate, store, or transmit Information.

    12. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

    13. Users: A University community member, including but not limited to, staff, faculty, students, alumni and individuals working on behalf of the University, including third party vendors, Contractors, consultants, volunteers and other individuals who may have a need to access, use or control University Data.

  4. Disaster Recovery Plan

    1. A Disaster Recovery Plan must be developed and implemented for centralized Information Technology Resources to ensure sufficient response and remediation of critical IT functions in the event of an unscheduled interruption.

    2. Business units that own and administer University Information Technology Resources must have documented Disaster Recovery Plans and are responsible for ensuring sufficient financial, personnel, and other resources are available as necessary.

    3. At a minimum the plan should identify and protect against risks to Critical Information Systems and Confidential Data consistent with the USM IT Security Standards, provide for contingencies to restore Information and Information Resources in the event of a disaster, and include:

      1. Resource Contact List

      2. Succession plan

      3. Restoration Priority List

      4. Description of current back-up and restoration procedures

      5. Description of the back-up storage location(s) and services

      6. Equipment replacement plan

      7. Communications plan

    4. The Disaster Recovery Plan must be updated and tested annually or when new Critical Information Systems are installed, if technically feasible.

  5. Backup and Restore

    1. Critical Information Systems shall be periodically backed up and copies maintained at reasonably distant locations not prone to similar catastrophic events.

    2. Backup and restore requirements for Critical Information Systems shall be defined by the Data Stewards to include:

      1. Data and Files to be backed up

      2. Recovery Time Objective (RTO) – the length of time by which the system must be returned to an acceptable level of service

      3. Recovery Point Objective (RPO) – the point in time to which processing has to be returned

      4. Retention period for backup media defined by the Data Owner and according to the University Data Retention Policy

    3. All back-up media containing Confidential Data must be encrypted.

  6. Exceptions

    Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control should be documented and approved.

  7. Enforcement

    UMGC Employees who violate this Policy may be subject to disciplinary action, up to and including termination of employment.

  8. Related Policies

    1. Acceptable Use

    2. Account Management

    3. Data Classification

    4. Information Security

    5. Information Security Awareness and Training

    6. Information Security Incident Management

  9. Effective Date: This policy is effective as of the Effective date set forth above and supersedes all prior policies on the subject matter hereof.